feat: Hardware Security Module support

.circleci/config.yml

@@ -69,12 +69,49 @@ jobs:
       - golangci/install
       - golangci/lint
       - run: make .bin/go-acc
-      - run: .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite
+      - run: .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags=sqlite,hsm
       #      Running race conditions requires parallel tests, otherwise it's worthless (which is the case)
       #      - run: go test -race -short $(go list ./... | grep -v cmd)
       - run: |
           bash <(curl -s https://codecov.io/bash)
 
+  test-hsm:
+    docker:
+      - image: cimg/go:1.16-node
+        environment:
+          - HSM_ENABLED=true
+          - HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+          - HSM_TOKEN_LABEL=hydra
+          - HSM_PIN=1234
+          - TEST_DATABASE_POSTGRESQL=postgres://test:test@localhost:5432/postgres?sslmode=disable
+          - TEST_DATABASE_MYSQL=mysql://root:test@(localhost:3306)/mysql?multiStatements=true&parseTime=true
+          - TEST_DATABASE_COCKROACHDB=cockroach://root@localhost:26257/defaultdb?sslmode=disable
+      - image: postgres:9.6
+        environment:
+          - POSTGRES_USER=test
+          - POSTGRES_PASSWORD=test
+          - POSTGRES_DB=postgres
+      - image: mysql:8.0
+        environment:
+          - MYSQL_ROOT_PASSWORD=test
+      - image: cockroachdb/cockroach:v20.2.5
+        command: start-single-node --insecure
+    steps:
+      - checkout
+      - setup_remote_docker
+
+      - go/load-cache:
+          key: ory-hydra-go-mod-v1
+      - go/mod-download
+      - go/save-cache:
+          key: ory-hydra-go-mod-v1
+
+      - run: sudo apt update
+      - run: sudo apt install -y softhsm opensc
+      - run: sudo rm -rf /var/lib/softhsm/tokens; sudo mkdir -p /var/lib/softhsm/tokens; sudo chmod -R a+rwx /var/lib/softhsm; sudo chmod a+rx /etc/softhsm; sudo chmod a+r /etc/softhsm/*
+      - run: pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra
+      - run: go test -p 1 -v -failfast -short -timeout=20m -tags=sqlite,hsm ./...
+
   test-e2e:
     docker:
       - image: oryd/e2e-env:latest
@@ -157,13 +194,18 @@ workflows:
           filters:
             tags:
               only: /.*/
+      - test-hsm:
+          filters:
+            tags:
+              only: /.*/
       - test-e2e:
           filters:
             tags:
               only: /.*/
       - changelog/generate:
           requires:
             - test
+            - test-hsm
             - test-e2e
             - docs/build
 #            - test-legacy-migrations-mysql
@@ -179,6 +221,7 @@ workflows:
           specignorepgks: internal/httpclient gopkg.in/square/go-jose.v2
           requires:
             - test
+            - test-hsm
             - test-e2e
 #            - test-legacy-migrations-mysql
 #            - test-legacy-migrations-cockroach
@@ -192,6 +235,7 @@ workflows:
           swagpath: spec/api.json
           requires:
             - test
+            - test-hsm
             - sdk/generate
             - goreleaser/release
             - docs/build
@@ -216,6 +260,7 @@ workflows:
       - goreleaser/release:
           requires:
             - test
+            - test-hsm
             - test-e2e
             - changelog/generate
   #            - test-legacy-migrations-mysql

.docker/Dockerfile-hsm

@@ -0,0 +1,57 @@
+FROM golang:1.16-alpine AS builder
+
+RUN apk -U --no-cache add build-base git gcc bash
+
+WORKDIR /go/src/github.com/ory/hydra
+
+ADD go.mod go.mod
+ADD go.sum go.sum
+
+ENV GO111MODULE on
+ENV CGO_ENABLED 1
+
+RUN go mod download
+
+ADD . .
+
+FROM builder as build-hydra
+RUN go build -tags=sqlite,hsm -o /usr/bin/hydra
+
+FROM builder as test-hsm
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+
+RUN apk -U --no-cache add softhsm opensc; \
+    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \
+    go test -p 1 -v -failfast -short -tags=sqlite,hsm ./...
+
+FROM alpine:3.14.2
+
+RUN apk -U --no-cache add softhsm opensc; \
+    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra
+
+RUN addgroup -S ory; \
+    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
+    chown -R ory:ory /home/ory; \
+    chown -R ory:ory /var/lib/softhsm/tokens
+
+COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
+
+# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
+# is required for read/write of SQLite.
+RUN mkdir -p /var/lib/sqlite
+RUN chown ory:ory /var/lib/sqlite
+VOLUME /var/lib/sqlite
+
+# Exposing the ory home directory
+VOLUME /home/ory
+
+# Declare the standard ports used by hydra (4433 for public service endpoint, 4434 for admin service endpoint)
+EXPOSE 4444 4445
+
+USER ory
+
+ENTRYPOINT ["hydra"]
+CMD ["serve"]

.dockerignore

@@ -13,5 +13,4 @@ dist
 .bin
 test/e2e
 test/mock-*
-test/stub
 cypress

.goreleaser.yml

@@ -14,8 +14,7 @@ builds:
   -
     id: hydra-sqlite-darwin
     flags:
-      - -tags
-      - sqlite
+      - -tags=sqlite,hsm
     ldflags:
       - -s -w -X github.com/ory/hydra/driver/config.Version={{.Tag}} -X github.com/ory/hydra/driver/config.Commit={{.FullCommit}} -X github.com/ory/hydra/driver/config.Date={{.Date}}
       # - "-extldflags '-static'"
@@ -32,8 +31,7 @@ builds:
   -
     id: hydra-sqlite-linux
     flags:
-      - -tags
-      - sqlite
+      - -tags=sqlite,hsm
     ldflags:
       - -s -w -X github.com/ory/hydra/driver/config.Version={{.Tag}} -X github.com/ory/hydra/driver/config.Commit={{.FullCommit}} -X github.com/ory/hydra/driver/config.Date={{.Date}}
     binary: hydra
@@ -46,8 +44,7 @@ builds:
   -
     id: hydra-sqlite-linux-libmusl
     flags:
-      - -tags
-      - sqlite
+      - -tags=sqlite,hsm
     ldflags:
       - -s -w -X github.com/ory/hydra/driver/config.Version={{.Tag}} -X github.com/ory/hydra/driver/config.Commit={{.FullCommit}} -X github.com/ory/hydra/driver/config.Date={{.Date}}
     binary: hydra
@@ -61,8 +58,7 @@ builds:
   -
     id: hydra-sqlite-windows
     flags:
-      - -tags
-      - sqlite
+      - -tags=sqlite,hsm
     ldflags:
       - -s -w -X github.com/ory/hydra/driver/config.Version={{.Tag}} -X github.com/ory/hydra/driver/config.Commit={{.FullCommit}} -X github.com/ory/hydra/driver/config.Date={{.Date}}
       - "-extldflags '-static'"